Heath Muchena from Business Africa Online and I discuss leadership, information security, challenges women face in the IT sector, and share thoughts on how to establish a successful career in the tech ecosystem.Some of his questions were quite thought provoking. Here is what I came up with.
Heath: How do you balance the need for technical security solutions with the potential friction it can create for businesses?
Anna: Security’s ultimate goal is to help business stay in business and is an enabler rather than a “restrictor”. This requires security to sit at the decision maker table from day one and not just be invited as an after-thought. Many technology trends, such as mobile, cloud, AI etc will only deliver the value if the solution has been built with adequate protection. It’s a bit like the analogy of the sports-car, it can only really race fast if it has good breaks.
Where it becomes difficult is when compliance or security starts to stifle business objectives. In those cases, the business needs to make the ultimate decision, which includes taking full responsibility for and accepting any risks highlighted by the compliance or security team.
Heath: How important is it to take a business-focused view of technology in your sector? Do you recommend a business first, IT/security second approach?
Anna: I believe in applying a risk-based approach to security. This means prioritizing security controls that help protect and enable the business’s critical business processes, rather than just following a compliance drive or the latest technology trend. Sun Tzu’s Art of War “If you know the enemy and know yourself, you need not fear the result of a hundred battles” is a great analogy for this.
The first step in defending against cybercrime is getting to know both the possible threats as well as the organization’s weaknesses. Understanding what specific criminal motives might drive someone targeting your organization makes it easier to defend against. Think about the value of personal information you store, what opportunities exist to commit financial fraud or to extort a ransom payment? Who is the ideal victim within your organization and which channels might work best? What would the impact be? Questions like these allow you to identify and prioritize risks related to cybercrime.
Heath: How should IT leaders align their businesses with the need for security solutions?
Anna: The first step here is to raise awareness both amongst the IT leaders themselves as well as business decision makers and other executives about potential threats impacting their business processes. This will allow for more informed decision making when weighing up security versus functionality for example.
Heath: What’s your approach to providing information security guidance to organisations? How should risks be conveyed to boards who are not necessarily security experts?
Anna: As a security awareness company, we take internal awareness seriously. Every new joiner undergoes a rigorous induction training program, which includes all our policies and a lot of security awareness. We conduct frequent phishing simulations internally – meaning every employee will get at least one random simulated phishing email per week. People who fall for any of those have to undergo remediation training. Anyone who doesn’t take their remediation training within a week gets reported all the way up to the CEO.
In other organizations where security is not necessarily on the board’s agenda yet, I assisted in giving awareness sessions to the executives as a VIP target audience. This serves two purposes: Firstly, it raises the awareness level of the executives themselves, who are attractive targets for spear-phishing attacks. Secondly, it allows the Security team to get executive buy in and if lucky, even their involvement in further awareness campaigns across the rest of the organization. Having senior support is absolutely crucial in creating effective awareness, so this is usually the first step before starting anything else.
Heath: What KPIs or metrics do you use to measure the effectiveness of an information security program?
Anna: Measuring effectiveness of an overall security program should include different metrics for different audiences; as for example management may not necessarily understand the context of technical metrics such as vulnerabilities found, whereas they may be of value to the IT team. The metrics I’ve seen used in practice include:
Heatmapof current threats and how the Security rates their confidence to defend against these (i.e. DDOS attacks, Advanced Persistent Threats etc.);Risks identified vs remediated;Audit findings % complete;Security standards assessments and health checks (i.e. against ISO 27001 standards or ISF framework or similar);Security Incidents and time to resolve / mitigate;Technical metrics, such as phishing, spam and malware blocked (in numbers), vulnerabilities found;Human behavior metrics.
Heath: How do you keep up with the latest security issues and methods?
Anna: I subscribe to cyber security blogs by experts such as Brian Krebs, Stu Sjouerman, and Bruce Schneier. I also follow many interesting thought leaders on LinkedIn. I’m also fortunate enough to be part of a few industry WhatsApp groups where latest news or incidents are shared. As part of our content creation process I need to research latest scams, threats or technology trends.
Heath: Is Africa ready for the exponential nature of the change and impact of the 4IR? How should ICT leaders foster this change and ready their organisations and consumers for the fast-paced change presented by technologies?
Anna: The KnowBe4 African Cyber Security Survey 2019 has shown that African’s are not prepared for cyber threats. Since security is a prerequisite for any of the new technologies that will take us into the 4IR, more work needs to be done to not just address the security skill shortage on the continent (we only have about 10000 security professionals across the whole of Africa) but to also educate the public on the potential pitfalls and risks they are exposed to, ranging from sharing too much information to being aware of mobile malware and social engineering attacks.
Heath: Women in the technology ecosystem are definitely in the minority, so why did you decide to pursue a career in tech?
Anna: I got into the cybersecurity field coincidentally, I was lucky to get a student-job at Siemens while I studied economics in Munich, Germany. They paid better than waitressing and I enjoyed the diversity and learning opportunity. Siemens also allowed me to write my thesis on the importance of information security from a business perspective back in 2001, when security was still very much a nice area.
I generally love learning new things and security requires you to learn every day as the landscape changes all the time. It’s such a fascinating field as security touches literally all the technology domains as well as the physical and human factors. There are many exciting opportunities for women in cybersecurity because of its overarching applicability.
Heath: What are some of the biggest challenges that women who want to venture in the world of technology face today?
Anna: Women sometimes tend to be less assertive as well as doubt themselves more than men do. I see this often in interviews, women too quickly highlight their shortcomings, whereas male counterparts display more confidence in tackling new challenges, even if they are not qualified yet.
As employers, we need to be aware of these subtle differences and encourage women more to take risks and trust their abilities. I always tell women who have self-doubts that if they mastered how to apply a smoky eye from watching it on YouTube, they can learn anything. Security might be complex, but it’s not rocket science and there are many areas in the field that are really interesting.
Heath: What do you think are the biggest misconceptions about working in the tech sector as a woman today?
Anna: That it is a male dominated industry. I know many successful women in the tech sector and it’s an exciting field to get into for young girls and boys alike. Women, especially mums, are generally great jugglers- a skill that is needed in a demanding industry. This is a bit of a generalization, but a lot of women have great communication and creative skills, something that is absolutely key in running security awareness programs, project or change management programs.
Empathy and listening skills, another typical female trait comes in handy when trying to communicate technology or security to end users, upper level management or executives.
Heath: What influences your leadership style and what values are important to you?
Anna: I love learning, research and innovation and I’m not a typical people’s person. This makes me a more distanced leader as I leave my team to do what they do best. I strongly believe in hiring great people and giving them the freedom to become high performers by providing the vision and some guidance but not interfering in the way they do things. Unless they need assistance of course.
Heath: Who are your role models for women in tech?
Anna: I once was lucky enough to sit next to Cathy Smith, CEO of SAP Africa on a flight. She really inspired me to remain authentic.
We don’t have to be highly extroverted and loud alpha type personalities to be good leaders. Being soft-spoken, calm and relying on our female intuition is an often-underestimated superpower. Cathy reminded me of that, it was a very inspiring conversation for which I’m very grateful for.